3

When reviewing some of our Windows servers, it can be extremely tedious to tell whether a security update is relevant to our system. A patch to IIS is irrelevant if we use Apache; an exploit affecting HTTP connections is not relevant if all our sites require HTTPS.

Identifying patches that are relevant or not to avoid unnecessary change to the system is very tedious. You need to click a link in every single update for More Info (which is even more fun when the server browser disallows all scripting on the destination page and Microsoft's own site breaks) because the patch summary is useless.

Typical Windows Update summary

Is there a way to summarize the recommended update lists for a server (or client) that improves upon the poor summary Microsoft provides, so that a loading a separate browser page for every update is not necessary just to see what the update is for?

The use-case for this is quick, ad-hoc updates on individual servers, rather than organizational patch management.

Myrddin Emrys
  • 636
  • 2
  • 10
  • 24
  • 2
    I actually liked your question and voted to reopen, but in case that doesn't happen I'll jot my thoughts down here. I started whipping up a PowerShell script that invoked a web request and parsed the response to provide the information you wanted, but I don't think it's going to work well. The KB articles can't be counted on to have any real information. For instance, KB2840149's page at http://support.microsoft.com/kb/2840149 would provide us with no more useful information than you're seeing in the Windows Update GUI. I'm afraid we're stuck with the mostly useless summaries provided. – pk. Jun 17 '14 at 14:17
  • @pk. I don't wanna swoop in and snipe the answer away from you, because your comment is the answer. The summaries may be vague and generally less than useful, but it's all MS releases, generally, so it's all we have. The price of security and like that there. Anyhow, you really ought to put that in an answer. – HopelessN00b Jun 18 '14 at 03:18

1 Answers1

1

I agree with the comments so far. It is challenging to get the right info. The monthly "executive" summary is actually okay. It gives you a product name (.NET, Office, IE, SQL) and a exploit classification type - usually Remote Code, Elevation of Privilege, Security Bypass. https://technet.microsoft.com/en-us/library/security/ms14-aug.aspx

You may also want to look at MBSA (microsoft security baseline analyzer at download.microsoft.com). It can scan an individual or range of machines, what is missing/installed, produces a report with links to hotfixes that are already installed, but does not have links for hotfixes that are missing. Go figure.

Clayton
  • 4,523
  • 17
  • 24
  • Thank you, I didn't know about that bulletin. Still not quite an answer though because it comes out so far after the patch. A script that married that data to the missing patches would be useful when updating a long ignored server though. – Myrddin Emrys Sep 06 '14 at 16:34